Monitoring, measurement, analysis, and evaluation, part a)
The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall determine: what needs to be monitored and measured, including information security processes and controls. Documented information shall be available as evidence of the results.
- CPL-01.1 - Non-Compliance Oversight
- CPL-03 - Cybersecurity & Data Protection Assessments
- GOV-01.2 - Status Reporting To Governing Body
- GOV-05 - Measures of Performance
Monitoring, measurement, analysis, and evaluation, part b)
The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall determine: the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid. Documented information shall be available as evidence of the results.
- CPL-01.1 - Non-Compliance Oversight
- CPL-03 - Cybersecurity & Data Protection Assessments
- GOV-01.2 - Status Reporting To Governing Body
- GOV-05 - Measures of Performance
Monitoring, measurement, analysis, and evaluation, part c)
The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall determine: when the monitoring and measuring shall be performed. Documented information shall be available as evidence of the results.
- CPL-01.1 - Non-Compliance Oversight
- CPL-03 - Cybersecurity & Data Protection Assessments
- GOV-01.2 - Status Reporting To Governing Body
- GOV-05 - Measures of Performance
Monitoring, measurement, analysis, and evaluation, part d)
The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall determine: who shall monitor and measure. Documented information shall be available as evidence of the results.
- CPL-01.1 - Non-Compliance Oversight
- CPL-03 - Cybersecurity & Data Protection Assessments
- GOV-01.2 - Status Reporting To Governing Body
- GOV-05 - Measures of Performance
Monitoring, measurement, analysis, and evaluation, part e)
The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall determine: when the results from monitoring and measurement shall be analysed and evaluated.
- CPL-01.1 - Non-Compliance Oversight
- CPL-03 - Cybersecurity & Data Protection Assessments
- GOV-01.2 - Status Reporting To Governing Body
- GOV-05 - Measures of Performance
Monitoring, measurement, analysis, and evaluation, part f)
The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall determine: who shall analyse and evaluate these results. The organization shall retain appropriate documented information as evidence of the monitoring and measurement results.
- CPL-01.1 - Non-Compliance Oversight
- CPL-03 - Cybersecurity & Data Protection Assessments
- GOV-01.2 - Status Reporting To Governing Body
- GOV-05 - Measures of Performance
Internal audit, General part a)
The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: conforms to the organization’s own requirements for its information security management system; and the requirements of this International Standard.
Internal audit, General, part b)
The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: is effectively implemented and maintained.
Internal audit programme, part a)
The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall: define the audit criteria and scope for each audit. Documented information shall be available as evidence of the implementation of the audit programme(s)and the audit results.
Internal audit programme, part b)
The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall: select auditors and conduct audits that ensure objectivity and the impartiality of the audit process. Documented information shall be available as evidence of the implementation of the audit programme(s)and the audit results.
Internal audit programme, part c)
The organization shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. When establishing the internal audit programme(s), the organization shall consider the importance of the processes concerned and the results of previous audits. The organization shall: ensure that the results of the audits are reported to relevant management. Documented information shall be available as evidence of the implementation of the audit programme(s)and the audit results.
Management review, General
Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
Management review inputs, part a)
The management review shall include consideration of: the status of actions from previous management reviews.
Management review inputs, part b)
The management review shall include consideration of: changes in external and internal issues that are relevant to the information security management system.
Management review inputs, part c)
The management review shall include consideration of: changes in needs and expectations of interested parties that are relevant to the information security management system
Management review, part d)
The management review shall include consideration of: feedback on the information security performance, including trends in: nonconformities and corrective actions; monitoring and measurement results; audit results; and fulfilment of information security objectives.
Management review, part e)
The management review shall include consideration of: feedback from interested parties.
Management review, part f)
The management review shall include consideration of: results of risk assessment and status of risk treatment plan.
Management review, part g)
The management review shall include consideration of: opportunities for continual improvement.
Management review results
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.